MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46d5ad3a78bf9fe4f4799240caf67fae21f78c6d8a665e9a92719c0efec186c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46d5ad3a78bf9fe4f4799240caf67fae21f78c6d8a665e9a92719c0efec186c4
SHA3-384 hash: c1e667196d9fa3c782dbaffeb237feae8fa3fcdbc16e46786d361d7025537392a88c56060b217d10a4d56e648e27fe0d
SHA1 hash: a5f9cb00428dbf3181a824bcf5bd885706f4c5b7
MD5 hash: b002ea1ea554717aa2e038420451bf4b
humanhash: red-potato-carbon-aspen
File name:SOA.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:817'664 bytes
First seen:2023-06-18 12:36:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:eiB2iNR5LbzIu9+r9LJeKiO0JVF6xDhBt7eU6Zr1QZOFKIxxAsqjgmpr5GnOi2:b1j5LA9huJ6ux1f8ILABzpcOx
TLSH T1990501A43669581FC56F0AFA80245331877C8356F596F3E70CC2B1F98AC2BE325265CB
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOA.exe
Verdict:
Malicious activity
Analysis date:
2023-06-18 12:37:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/65e4fb64-73d7-4f00-9de9-b49837fd8adc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400170/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo formbook packed remcos
Link:
https://www.filescan.io/uploads/648efa703866940aa93ace82/reports/825db3ba-5201-492c-9096-93c12f3e501f/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/46d5ad3a78bf9fe4f4799240caf67fae21f78c6d8a665e9a92719c0efec186c4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2095d663-eec6-43b6-a8c6-ea1ee25f8c92
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1256847
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 889867 Sample: SOA.exe Startdate: 18/06/2023 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 Sigma detected: Scheduled temp file as task from temp location 2->44 46 4 other signatures 2->46 7 SOA.exe 7 2->7         started        11 HJJliV.exe 5 2->11         started        process3 dnsIp4 30 C:\Users\user\AppData\Roaming\HJJliV.exe, PE32 7->30 dropped 32 C:\Users\user\...\HJJliV.exe:Zone.Identifier, ASCII 7->32 dropped 34 C:\Users\user\AppData\Local\...\tmp4C0C.tmp, XML 7->34 dropped 36 C:\Users\user\AppData\Local\...\SOA.exe.log, ASCII 7->36 dropped 48 Uses schtasks.exe or at.exe to add and modify task schedules 7->48 50 Adds a directory exclusion to Windows Defender 7->50 52 Injects a PE file into a foreign processes 7->52 14 powershell.exe 19 7->14         started        16 schtasks.exe 1 7->16         started        18 SOA.exe 7->18         started        38 192.168.2.1 unknown unknown 11->38 54 Antivirus detection for dropped file 11->54 56 Multi AV Scanner detection for dropped file 11->56 58 Machine Learning detection for dropped file 11->58 20 schtasks.exe 1 11->20         started        22 HJJliV.exe 11->22         started        file5 signatures6 process7 process8 24 conhost.exe 14->24         started        26 conhost.exe 16->26         started        28 conhost.exe 20->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46d5ad3a78bf9fe4f4799240caf67fae21f78c6d8a665e9a92719c0efec186c4/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2023-06-16 02:41:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i3k22otyx6p6j5dzsjamv5t7vyq7pddnrjtf5gusogoa57wbq3ca._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230618-ptf99sfc62/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
63bf875417a4d14485debe930a5948b79f02b45bd9669c530e717d929bb8da99
MD5 hash:
f927688f7160b7a62052b1d3ff01d77c
SHA1 hash:
bb0924d0778ae7ca1992c3fedbc4f3a6301584cf
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/a401c1c2-25c3-4565-afd6-2599b6cf7a00/
Parent samples :
ad8413339b31fc3d1dced5bea0a98a95dcc5751108b4cf1553cf040c4a2159b9
46d5ad3a78bf9fe4f4799240caf67fae21f78c6d8a665e9a92719c0efec186c4
d53929503f5d9632f215cf24983b0b2700f10db634265bcefe2cd8fa4efaf2f7
e57990a97315ade20a7437d5c666851134167d95aa5b72c02cdb299a7202fa62
ed570698ccddfc346f65b5b86045d8af239e0d2400acd5836818b95e7b658cff
412c6188c1ab56d9a41bc91aa4b39e664ec9346a718a7ae9bf495618230d7c2d
b45f9e29351506203a4101b1559e928ec3de39850008d82598b8ce1c3a7a13c3
117657ffb63ef0b6355173babb3e4fd141dc8be775e2ef30c23953b6396f4f45
00d56f9d4e23372133f953d1a0bb58567bc2e9bc34f9e70304116a6382448458
713295015c5460b487bd9e9fbe4ac0e600791a47911852e5a5feec1bafbb55fe
SH256 hash:
f01a6fc735878ac63e8b5585179a21b4dea5d15b5c679ac90cbab1a9d36958cf
MD5 hash:
3532237c1316ef2cc8a39372a6b5f72c
SHA1 hash:
5cf317deeff0ce552c933c7d4e44ef3f5bd7746e
Link:
https://www.unpac.me/results/a401c1c2-25c3-4565-afd6-2599b6cf7a00/
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/a401c1c2-25c3-4565-afd6-2599b6cf7a00/
SH256 hash:
b86193f0f5eeadf451f23596dffb4d015245311c67bc15244c2b1c81293d3679
MD5 hash:
be09d1a9fbdc7fe4ad47e49a0ccf2a0e
SHA1 hash:
3eea7d856de59fefd670110c2edda63c319a5a1b
Link:
https://www.unpac.me/results/a401c1c2-25c3-4565-afd6-2599b6cf7a00/
SH256 hash:
abc14ed0e562d90108c0e1a9ac2ab93c13bec2efaa1804b2ef3e69ddf6181485
MD5 hash:
fcba589d97722d95843b693957dbda8b
SHA1 hash:
193badbeca854197f25a8ce7ab9b336da11c229a
Link:
https://www.unpac.me/results/a401c1c2-25c3-4565-afd6-2599b6cf7a00/
SH256 hash:
dc672cad4586691c71ae9cb9d3ed4e407c5635bbdea7dd5c7b66bec24a35c5ee
MD5 hash:
34035a4619f3e02c96ae73648b0097d5
SHA1 hash:
17057d2a5ee69969c09b962fc49e9b530f297a45
Link:
https://www.unpac.me/results/a401c1c2-25c3-4565-afd6-2599b6cf7a00/
SH256 hash:
46d5ad3a78bf9fe4f4799240caf67fae21f78c6d8a665e9a92719c0efec186c4
MD5 hash:
b002ea1ea554717aa2e038420451bf4b
SHA1 hash:
a5f9cb00428dbf3181a824bcf5bd885706f4c5b7
Link:
https://www.unpac.me/results/a401c1c2-25c3-4565-afd6-2599b6cf7a00/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/46d5ad3a78bf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/46d5ad3a78bf9fe4f4799240caf67fae21f78c6d8a665e9a92719c0efec186c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 46d5ad3a78bf9fe4f4799240caf67fae21f78c6d8a665e9a92719c0efec186c4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/400170/

Comments